Dial-up, VPN and Network Devices hacking

Dial-up hacking Phone number footprinting: phone directories (on-line and CD-ROM) Wardialing (scanning): automatically dialing a range of numbers, like in telemarketing, using a hardware/software combination. PC with serial ports and modems it is all that is needed Software: ToneLoc, THC-Scan (free) and Phone Sweep (commercial). See book. Typically: one modem can wardial 10,000 numbers in 7 days of 24 hours. Telcos take this seriously and in many areas this is illegal (ping sweep is not). Penetration Domains : once logs are obtained the connections can be classified as (see book for examples in QBASIC): LHF - easily guessed or commonly used passwords for known systems Single authentication, unlimited attempts Single authentication, limited attempts Dual authentication, unlimited attempts Dual authentication, limited attempts Basic countermeasures: Inventory and consolidate modem lines, use at least dual authentication with limited attempts, put in DMZ.

PBX, Voic , VPN PBX: most PBX are no longer electro-mechanic machines, but rather computers with IP numbers, graphical interfaces, etc. Types: Octel, Williams, Meridian, ROLM, ATT -- all with specific ways to login (some very easy to hack, see book). Basic countermeasure: only turn modem on when maintenance is needed, turn off most of the time. Voic low impact, brute force attempts, but no logs (voice answers). VPN: tunneling private data through the Internet with encryption, reducing WAN costs, and supporting modern electronic commerce. VPN Tunneling involves encapsulation of a datagram within another, be it IP within IP (IPSec) or PPP within GRE (PPTP)IPSecPPTP IPSec (replaces PPTP) and Layer 2 Tunneling Protocol - L2TP (replaces L2F) are the most used VPN standards.

VPN Hacking Microsoft PPTP: originally had a weak encryption function, algorithm (RSA), the TCP port (1723) used for connection control was vulnerable to DoS attacks, only the data was encrypted. NT: Service Pack 4 closed these vulnerabilities, Win 9x clients should be upgraded to DUN 1.3 to use these improvements. Win 2k, XP, 7: came with IPSec support as we saw previously. See VPN with Single Sign On in Windows 7. VPN with Single Sign On in Windows 7 IPSec: very difficult to understand, even by experts. Hackers do not seem to have figured it out yet, what is good. Schneier and Ferguson (renowned experts) conclusion: IPSec is too complex to be secure, but it is better than any other security protocol in existence. Schneier and Ferguson Different implementations: VPN requires the use of VPN gateways in the server side. Read this article to see a comparison of these types.this article VOIP hacking: sniffing and enumeration. New tools potential.sniffing and enumerationpotential

Network Devices Detection: use traceroute to find the border router.traceroute Port Scanning: Use Nmap or SuperScan and WUPS to scan TCP and UDP ports. In linux use dig to obtain information: e.g. dig -t mx ubalt.eduNmapSuperScan Routers ports (book page 398). If no ports found means security is in place.ports If you find ports open you may be able to identify the type of device (routers, switches, hubs) and their manufacturers. OS Identification: using Nmap and other tools seen previously. Penetration: Once telnet or shell ports are found we can connect and use the data base of passwords to login if the administrator failed to change the default password, but brute force also can be used.we can connectdata base of passwords SNMP: allow to check status, configuration and change the configuration. You should restrict its use, if allowing it at all through your border router. BackDoors : accounts meant for vendors to enable them to bypass a locked-out administrator, but which offer hackers a back door. Vendors like 3Com,Bay, Cisco, Shiva have created these accounts. Change the defaults!! See also more details in the book, if you manage one of these devices.defaults

Other vulnerabilities Specific vulnerabilities: Cisco and Ascend write MIB. Cisco weak password encryption. TFTP (most routers). Bay config file is clear text.TFTP Shared vs Switched: shared media broadcasts to all nodes. Switched media builds a table of MAC addresses and send the messages to a specific MAC. Use Snmpsniff in Linux to sniff in shared media networks.Snmpsniff Packet sniffing was developed for the shared media environment, but There are now packet-sniffing tools for switches. Dsniff is easily installed in Ubuntu: use sudo apt-get install dsniff. Use sudo to run it. There is a FAQ to help you with its use. See example.now Dsniff FAQ example Basic countermeasure: use encryption in all your traffic, such as PKI (1,2). You can also use VPN to create more secure connections.12 Arp redirect: arp redirect is part of the dsniff package (traffic goes through an attacker machine). RIP spoofing: Again use WUPS or NMAP to scan port 520 (RIP). A C program rprobe was written to demonstrate how to spoof/redirect.WUPS NMAPrprobe